Why didn’t people sue their banks for fraud? Why did congress need to
write a law about behaviour that is already covered by contract law
and fraud?

Well, I think that’s mostly a question about personalities, customs, and
precedents.

I was involved in one of the first-ever lawsuits against a spammer,
way back in 1997.
We won. (I was co-owner of Zilker Internet Park, a local ISP in Austin, Texa.)
We used nothing but existing laws.
For years I tried to convince people that we didn’t really need anti-spam
laws, because anti-fraud laws, contract law, etc. were sufficient.
Few people listened.
It took the badly flawed CAN-SPAM Act of 2003 before any big cases
against spammers were pursued and won.
No, that hasn’t wiped out spam, but it has perhaps helped keep it from
growing as much.
And it has helped people realize that containing spam is going to be
very difficult as long as there are inherently insecure OSes out there,
especially when one of them is a monoculture.

Now that there are laws saying automobiles have to have seat belts,
there is still
an aftermarket for seatbelts
(and mirrors, and reflectors, etc.).
Yet most cars have seat belts already installed, and that means more people
use them.

Speaking of banks, yesterday Adam noted on Emergent Chaos that
Standard Life Investments publicly admitted a breach, even though
there are no disclosure laws in the U.K. He says:

I’ve said before that there’s a new standard out there, even ahead of
the laws. It requires owning up to mistakes, and doing so promptly.

I wanna be clear on something: customers prefer it that way. Every
customer impacted knew about it (they got someone else’s bank
statement.) I bet fewer than 15 leave.

Once people, especially customers, come to expect something,
companies may do it without even being sued or having laws about it.

But people, for all their pride in individuality, are strongly influenced
by what everybody else does.
There seems to be a lot of psychological research about this;
see Stanley Milgram’s experiments, for example.
If everybody expects that companies will stonewall on breaches and
never say a word, then everybody will let companies get away with that.
If expectations change, companies can change.

What changes expectations?
Well, one thing that does is laws.
Even a law in a different country can change expectations locally.

Another is high profile people saying that something is possible.
Bruce Schneier is no stranger to that process.
For example, he was a co-author (as was I) of Dan Geer’s paper
CyberInsecurity: The Cost of Monopoly" of 2003.
I distinctly remember that before that paper Microsoft’s monopoly
and the monoculture of software it produces was just not discussed
in polite company.
Now everybody talks about it.
This increases the possibility that something might be done about it.

It appears that Bruce is doing the same thing again.
Maybe that’s why he’s a thought leader.

3 thoughts on “IT Seat Belts”

I am all for seatbelts, ABS, and side impact air bags too! These are great safety features that the market has helped to create. However, seat belts do not make cars or passengers “naturally secure”, which I believe is what spawned this thread.

Yes, it was Iang who asked that question, not Pete.
Gunnar, good, you’re for seatbelts. And no doubt you can see that there is not only still an aftermarket for those, but also a market for seatbelts, air bags, etc., that sell as original equipment on new cars.
That plus engineering cars to be less fragile and to protect their occupants better I consider to be a lot more naturally secure than the state BN (Before Nader).
Certainly a lot more naturally secure than the current state of the IT industry, which is kind of like a mammal without homeostasis or an immune system,
constantly requiring a bubble suit and trips to intensive care to keep it alive.
-jsq